Managing Regulatory Relationships – Playing by the Regulator’s Rulebook

[button link=”https://www.nscp.org/webinar-form/”]Register[/button] [tabs style=”default”] [tab title=”Summary”] The National Society of Compliance Professionals is pleased to host this webinar on the “Managing Regulatory Relationships – Playing by the Regulator’s Rulebook. The rise in compliance violations, coupled with the onset of rigorous new laws, have prompted regulators to issue increasingly strict regulatory exams. Given that a single negative review can adversely affect a firm’s profitability and reputation, the onus is on banks and financial institutions to do their homework, and ensure that they are well-prepared to face these exams. For regulatory engagement managers, the biggest task is managing the extensive documentation created during different stages of the exam process. Without a centralized system to manage the required paperwork, it can be difficult to track, retrieve, and deliver timely information to regulators. Please join Michael Rasmussen, Chief GRC Pundit of GRC 20/20 Research, and other expert panelist(s) to find out more on:
  • Preparing for a regulatory exam – Challenges and ways to overcome them
  • Strengthening regulatory relationship with a robust regulatory exam management process
  • Core elements of an effective regulatory examination management program
  • Adopting technology to streamline the overall examination process and gain process visibility
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]
MetricStreamMetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Their enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance. Leading companies across industry verticals are benefiting from MetricStream’s approach to GRC that is transforming risk management in a business environment that is increasingly mobile, social, global, and virtual. [/tab][/tabs]

Leveraging Regulatory Content for Developing an Optimum Compliance Framework

[button link=”http://info.metricstream.com/regulatory-change.html?Channel=Webinar_MR”]Register[/button] [tabs style=”default”] [tab title=”Summary”]
Organizations are grappling with the siege of changing laws, regulations, and enforcement actions. When regulatory change management is an ad hoc process with little to no documentation, accountability, and task management, there is no possibility to be intelligent about compliance risk that impacts your business. For the typical organization, information itself is not enough – it needs a compliance framework supported by an information and technology architecture to keep abreast of regulatory and business change. A well-defined regulatory change management process helps to establish priorities for regulatory updates, assimilate the intake of applicable information, improve accountability by directing actions to appropriate stakeholders, and determine if the enterprise policies, procedures, and controls need to be adjusted to address the changes. This webinar enables the attendees to build a regulatory intelligence strategy and process that allows them to:
  • Develop a regulatory taxonomy/framework indexed to the enterprise risk taxonomy
  • Define and assign roles and responsibilities in line with the organizational structure
  • Conduct regular business impact analysis of regulatory updates
  • Map regulations to the organization’s risks, policies, controls etc. so that applicable GRC elements can be modified when regulations change
  • Revise communication and training programs to keep them current with regulatory change
  • Monitor and audit action plans to ensure that regulatory updates are driven into the controls of the business
[/tab] [tab title=”GRC 20/20 Presenter”]
rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]
MetricStreamMetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Their enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance. Leading companies across industry verticals are benefiting from MetricStream’s approach to GRC that is transforming risk management in a business environment that is increasingly mobile, social, global, and virtual. [/tab][/tabs]

The Compliance Journey: From Checkboxes to Compliance Risk Management

[button link=”https://attendee.gotowebinar.com/register/6607760696410537475?mtcCampaign=-1&mtcEmail=1808843062″]Register[/button] [tabs style=”default”] [tab title=”Summary”] Compliance today is more than checking boxes on regulatory to-do lists, more than just managing policies & procedures and fixing problems. Compliance management is evolving and is part of the fabric of business operations. Effective compliance requires a risk-based approach operating in the context of the organization’s enterprise risk management program. Join us for an informative session with Michael Rasmussen of GRC 20/20 Research as he highlights his latest research on the compliance journey to risk management. Mikella Newsom, Chief Risk Officer, City Bank, will provide “real-world” insight into the need for an integrated compliance risk management strategy and how that can serve as the foundation for effective enterprise risk management. The discussion will include:
  • How organizations validate they are current with regulations, policies and other obligations in the face of an ever-changing environment
  • Moving from checkboxes to compliance risk management
  • Compliance as an integral part of Enterprise Risk Management for organizations
  • Recommended steps for the journey to compliance risk management
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]
screen-shot-2016-11-01-at-9-48-38-amSAI Global makes Intelligent Risk possible. The Company helps organizations proactively manage risk to achieve business excellence, growth, sustainability and ultimately, create trust. SAI Global’s integrated advisory, services and platforms operate across the entire lifecycle allowing businesses to focus on opportunities presented by uncertainty. Their solutions include risk management software, standards and regulatory content, ethics and compliance learning, risk assessments, certification, testing and audits. In Australia, SAI Global are also a leading provider of settlement related services; company, personal and property information. SAI Global Limited is listed on the Australian Securities Exchange with its head office located in Sydney, Australia. The company employs more than 2,000 people across 29 countries and 51 locations across Europe, North America and Asia. [/tab][/tabs]

2016: How to Purchase Compliance Management Solutions

Considerations in Selection of a Compliance Management Solutions

[tabs style=”default”] [tab title=”Overview”] Compliance is pervasive throughout organisations. There are many departments that manage compliance with a variety of approaches, requirements, and views into compliance. Because of the reach and impact of compliance initiatives, the decision to purchase compliance solutions can quickly evolve into an extensive process, involving dozens of stakeholders and requiring various approval procedures. Compliance professionals often find themselves having to explain the necessity and value of new compliance solutions — as well as combatting pressure to “make it work” with existing systems. This is further complicated by the variety of technology solutions available to manage compliance. Some are broad enterprise compliance platforms, while other compliance solutions focus on specific departments or compliance issues/obligation. Whether for a department compliance management need, or to manage enterprise compliance across the organization, compliance management solutions are in demand. Recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for compliance management solutions. There are several hundred solutions available in compliance management with varying capabilities and approaches.  Organizations need to clearly understand the breadth and depth of their requirements, map these into compliance solution capabilities, and understand that there is no one size fits all solution for compliance management no matter what solution providers may say. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that are the perfect fit for your organization. In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering compliance management platforms and more focused compliance solutions. [/tab] [tab title=”Agenda”]
  • Defining & Understanding Compliance Management Definition, Drivers, Trends & Best Practices
  • Critical Capabilities of a Compliance Management Platform What Differentiates Basic, Common, & Advanced Solutions
  • Considerations in Selection of a Compliance Management Platform Decision Framework & Considerations to Keep in Mind
  • Building a Business Case for Compliance Management Trajectory of Value in Effectiveness, Efficiency & Agility
[/tab] [tab title=”Benefits”] The GRC Pundit will help organizations . . .
  • Define and scope the compliance management market
  • Understand compliance management drivers, trends, and best practices
  • Relate the components of what makes a compliance management platform
  • Identify core features/functionality of basic, common, and advanced compliance management platforms
  • Map critical capabilities needed in a compliance management platform
  • Predict future directions and capabilities for compliance management
  • Scope how to purchase compliance management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate compliance management solutions
[/tab] [tab title=”Who Should Attend”]
  • Compliance and broader business professionals with responsibilities for compliance management
  • Compliance solution providers offering compliance management solutions
  • Compliance professional service firms advising organizations on compliance management
  • Compliance content & intelligence providers that provide compliance content, intelligence and templates
[/tab] [tab title=”Instructor”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.[/tab] [/tabs]

Keeping Policies Relevant in the Midst of Business Changes

  [button link=”http://info.metricstream.com/policy-management-dynamic-organization.html”]Register[/button] [tabs style=”default”] [tab title=”Summary”] Businesses are dynamic and in a constant state of flux. Strategy, processes, technology, and employees transform faster than the speed of light. In this context, if not managed properly, organizational policies quickly become forgotten, irrelevant, or outdated. Policies, which are critical governance documents of an organization that establish a legal duty of care, are often haphazardly managed. These challenges grow in the midst of continuous organizational change and evolution. Significant events such as mergers and acquisitions bring in completely redundant or conflicting policies that remain indefinitely in the new organization. Unceasing change in employees with new ones entering the organization while existing employees shift and change roles and departments creates a significant challenge to keep employees fully aware of the policies in the context of their new role. This webinar educates attendees on how to keep policies relevant and understood in the context of the continuously evolving organization. Attendees will learn processes and the role of a supporting information and technology architecture that enables the organization to keep policies current and relevant as well as understood across their dynamic organization. [/tab] [tab title=”Objectives”]
Objectives of this webinar include:
  • Get a grip on business change and how it relates to policies
  • Develop a master policy index
  • Define processes that trigger policy review in context of change
  • Understand how to harmonize policies in the midst of mergers and acquisitions
  • Implement an information and technology architecture to support policy management in a dynamic environment
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”]  
MetricStream
MetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Our market-leading enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance.
[/tab][/tabs]

2016 NAVEX Global Advisory Council Annual Meeting

[tabs style=”default”] [tab title=”Overview”] The 2016 NAVEX Global Advisory Council meeting April 18th – 20th is at the Mandarin Oriental Hotel in Atlanta. The agenda that provides an intimate, interactive and collaborative environment for sharing ideas, trends and best practices. Attendees will capitalize on this opportunity to hear from and engage with other attendees representing some of the world’s leading and most progressive organizations. [/tab] [tab title=”GRC 20/20 Participation”] GRC 20/20’s, Michael Rasmussen, The GRC Pundit, will be presenting on:
  •  The Technology Advantage: Placing the Right Bets to Build the Program of the Future.
rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Conference Host”]
NAVEX Global Empowers organizations to safeguard their from ethics & compliance risk. They help more than 12,500 organizations worldwide contain compliance risks amidst a never-ending stream rapidly evolving internal and external threats. Their suite of proven software, services and expertise helps organizations ensure that their E&C program is proactive, thorough and effective.NAVEX’s mission is to help organizations protect and defend their people, reputation and bottom line—and help them maintain a resilient, ethical organizational culture that helps repel risk.
[/tab] [/tabs]

2016: How to Purchase Compliance Management Solutions-old

Considerations in Selection of a Compliance Management Solutions

[tabs style=”default”] [tab title=”Overview”] Compliance is pervasive throughout organisations. There are many departments that manage compliance with a variety of approaches, requirements, and views into compliance. Because of the reach and impact of compliance initiatives, the decision to purchase compliance solutions can quickly evolve into an extensive process, involving dozens of stakeholders and requiring various approval procedures. Compliance professionals often find themselves having to explain the necessity and value of new compliance solutions — as well as combatting pressure to “make it work” with existing systems. This is further complicated by the variety of technology solutions available to manage compliance. Some are broad enterprise compliance platforms, while other compliance solutions focus on specific departments or compliance issues/obligation. Whether for a department compliance management need, or to manage enterprise compliance across the organization, compliance management solutions are in demand. Recent RFP and inquiry trends that GRC 20/20 is involved with show a growing demand for compliance management solutions. There are several hundred solutions available in compliance management with varying capabilities and approaches.  Organizations need to clearly understand the breadth and depth of their requirements, map these into compliance solution capabilities, and understand that there is no one size fits all solution for compliance management no matter what solution providers may say. It has become a complex segment of the GRC market to navigate, understand, and find the solution(s) that are the perfect fit for your organization. In this Research Briefing GRC 20/20 provides a framework for organizations evaluating or considering compliance management platforms and more focused compliance solutions. [/tab] [tab title=”Agenda”]
  • Defining & Understanding Compliance Management Definition, Drivers, Trends & Best Practices
  • Critical Capabilities of a Compliance Management Platform What Differentiates Basic, Common, & Advanced Solutions
  • Considerations in Selection of a Compliance Management Platform Decision Framework & Considerations to Keep in Mind
  • Building a Business Case for Compliance Management Trajectory of Value in Effectiveness, Efficiency & Agility
[/tab] [tab title=”Benefits”] The GRC Pundit will help organizations . . .
  • Define and scope the compliance management market
  • Understand compliance management drivers, trends, and best practices
  • Relate the components of what makes a compliance management platform
  • Identify core features/functionality of basic, common, and advanced compliance management platforms
  • Map critical capabilities needed in a compliance management platform
  • Predict future directions and capabilities for compliance management
  • Scope how to purchase compliance management platforms in a decision-tree framework
  • Discern considerations to keep in mind as you evaluate compliance management solutions
[/tab] [tab title=”Who Should Attend”]
  • Compliance and broader business professionals with responsibilities for compliance management
  • Compliance solution providers offering compliance management solutions
  • Compliance professional service firms advising organizations on compliance management
  • Compliance content & intelligence providers that provide compliance content, intelligence and templates
[/tab] [tab title=”Instructor”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc.[/tab] [/tabs]

Simplifying Regulatory Change Management by Leveraging Integrated Content and Technology

[button link=”http://info.metricstream.com/simplifying-regulatory-change-mgmt.html?Channel=ms-event-webinar”]Register[/button] [tabs style=”default”] [tab title=”Summary”] Banks and financial institutions continue to be challenged in managing the incessant volume of regulatory changes each year, and are now more than ever, realizing the need of an integrated and automated system that can simplify the end-end regulatory change management process across the enterprise. Join us on this webinar, hosted by The National Society of Compliance Professionals, with experts Michael Rasmussen, Chief GRC Pundit at GRC 20/20 Research and Susan Palm, Senior VP of Industry Solutions at MetricStream, where they elucidate on the importance of adopting a well-structured regulatory change management program that would enable companies to assess the scope and impact of changes, establish priorities, and initiate corrective action plans to adjust impacted policies, controls and procedures. [/tab] [tab title=”Objectives”] Attendees can learn how to:
  • Manage regulatory changes in a dynamic regulatory environment
  • Drive control and efficiency with a well-defined regulatory change management program
  • Leverage GRC technology platform for real time regulatory alerts and impact analysis
[/tab] [tab title=”GRC 20/20 Presenter”] rasmussenMichael Rasmussen – The GRC Pundit @ GRC 20/20 Research, Michael Rasmussen is an internationally recognized pundit on governance, risk management, and compliance (GRC) – with specific expertise on the topics of GRC strategy, process, information, and technology architectures and solutions. With 23+ years of experience, Michael helps organizations improve GRC processes, design and implement GRC architectures, and select solutions that are effective, efficient, and agile. He is a sought-after keynote speaker, author, and advisor and is noted as the “Father of GRC” — being the first to define and model the GRC market in February 2002 while at Forrester Research, Inc. [/tab] [tab title=”Webinar Sponsor”] MetricStream
MetricStream is simplifying Governance, Risk, and Compliance (GRC) for modern and digital enterprises. Our market-leading enterprise and cloud Apps for GRC enable organizations to strengthen risk management, regulatory compliance, vendor governance, and quality management while driving business performance. [/tab][/tabs]
Posted on 1 Comment

GRC Architecture to Manage Regulatory Change

This is part 4 on the topic of regulatory change management.  In the previous posts we explored: In this post I detail the information and technology architecture needed to support an efficient, effective, and agile regulatory change management process. These posts are excerpts from the broader GRC 20/20 Research Paper: Regulatory Change Management: Effectively Managing Regulatory Change
Effectively managing regulatory change is done with a GRC information and technology architecture to improve processes and transform manual document and email-centric processes. Organizations use technology to document, communicate, report, monitor change, and facilitate business impact analysis.  

Regulatory Change Management Architecture Goals

A GRC information and technology architecture helps the organization to manage regulatory change to:
  • Ensure that ownership and accountability of regulatory change is clearly established and understood.
  • Manage ongoing business impact analysis and scoring.
  • Integrate regulatory intelligence feeds that kick-off workflows and tasks to the right SME when change occurs that impacts the organization.
  • Monitor the internal organization’s environment for business, employee, and process change that could impact the firm’s state of compliance.
  • Identify changes in risk, policy, training, process, and control profiles based on regulatory change assessments.
  • Visualize the impact of a change on the organization’s processes and operations.
The right GRC information and technology architecture allows compliance and regulatory experts to profile regulations, link with external content feeds and content aggregators, and push new developments or alerts into the application and disseminate for review and analysis. It delivers effectiveness and efficiency using technology for workflow, task management, and accountability documentation—allowing the organization to be agile amidst change. It enables the organization to harness internal and external information and be intelligent about regulatory environments across the organization.

Regulatory Change Management Architecture Considerations

In evaluating regulatory change management solutions that integrate regulatory intelligence feeds and technology, organizations should ask the following three questions:
  1. How adaptable is the regulatory taxonomy?  The regulatory taxonomy provides the backbone of regulatory change management as it maps regulations to other objects such as business processes, assets, subject matter experts, risks, controls, policies and more. Organizations should specifically understand how adaptable the taxonomy/mapping is to fit the organization’s environment, evolve as the business evolves, and how easy it is to adapt the metadata and taxonomy structure.
  2. How rich is the regulatory content? A lot of GRC solutions can handle the workflow and task management of regulatory change management. What really differentiates capabilities is the depth and breadth of the regulatory intelligence content feeds that the solution offers. This includes regulator coverage, geographic coverage, supporting news and analysis, frequency of updates, and actionable content/recommendations.
  3. How strong is the technology? As stated, a lot of solutions can do workflow and tasks management for regulatory change, so the evaluation of the technology itself needs to go deeper in the systems ability to integrate regulatory intelligence feeds, conduct business impact analysis, as well as connect and understand relationships of regulatory impact to policies, processes, and risks. Of particular importance is the user experience.  SMEs across the enterprise may or may not be technical gurus; the overall user experience should be intuitive and natural.
    • Deficient technology involves documents and spreadsheets with email used as a workflow and task management tools. The organization struggles with things getting missed and not having a structured system of accountability.
    • Moderate technology provides a system of accountability with basic workflow and task management, but the integration of regulatory developments/updates is a manual entry system that is time-consuming and taxing on resources.
    • Strong technology for regulatory change management has enterprise content, workflow and task management capabilities with integration to actionable regulatory content.  It enables a closed-loop process as it delivers and integrates regulatory content and insight with technology in an integrated architecture. It also allows the indexing and mapping of regulations to other GRC elements.

Regulatory Change Management Architecture Capabilities

All of these elements are critical and are why they come together in a GRC architecture or platform for regulatory change management. Some solutions in the GRC space are delivering across these three elements and are being used to gather regulatory information, weed out irrelevant information, and route critical information to SMEs responsible for making a decision on a particular topic. This at a minimum requires workflow and task management capabilities, but in mature systems it provides direct integration with regulatory content aggregators. These aggregators manage regulatory profiles, and provide data about relevant new developments that can be routed to individuals responsible for evaluating specific regulatory subject areas. Advanced solutions map regulatory changes to the appropriate metadata as part of a fully integrated, dynamic, and agile process. Specific capabilities to be evaluated in a GRC solution for regulatory change management, include:
  • Regulatory intelligence content.  At a very basic level, the solution should allow for simple manual entry of new changes and updates so they can be routed to the correct SME for analysis. More advanced solutions provide the interface to content to search for related laws, statutes, regulations, case rulings, analysis, news, and information that intersect with the change and could indicate regulatory risks that need to be monitored actively. The solution needs to automatically capture and access regulatory related information and events from various external sources that are flagged as relevant to the business. This capability helps ensure that regulatory affairs and compliance teams are up-to-date on new, changing, or evolving regulatory requirements. Regulatory intelligence feeds should be easily configured and categorized in the regulatory taxonomy, providing a powerful and comprehensive inventory of changes in laws and regulations. The regulatory content should identify information such as geographic area/jurisdiction, issuing regulatory body, subject, effective date, modification date, end date, title, text, and guidance for compliance. The guidance should give commentary on how regulatory alerts are effectively transformed from rules into actionable tasks and modifications to internal policies and processes.
  • Content management. The solution should be able to catalog and version regulations, policies, risks, controls and other related information. It should maintain a full history of how the organization addressed the area in the past, with the ability to draft new policies, assessments, and other compliance responses for approval before implementation. The solution needs to provide a central repository for storing and organizing all types of regulations and laws based on various templates and classification criteria, within a defined taxonomy. The system should be able to maintain a history of actions taken and analysis, including review periods, and obsolescence rules that can be set for regulations.
  • Process management. A primary directive of a defined regulatory change management process is to provide accountability. Accountability needs to be tracked as regulatory change information is routed to the right SME to take review and define actions. The SME should be notified that there is something to evaluate and given a deadline based on an initial criticality ranking. The SME must be able to reroute the task if it was improperly assigned or forward it to others for input. Individuals and/or groups of SMEs must have visibility into their assignments and time frames. The built-in automatic notification and alert functionality with configurable workflows facilitates regulatory change management in the context of the organization’s operations.
  • Business impact analysis. The system needs to provide functionality to identify the impact of changes of regulations on the business environment and its operations and then communicate to relevant areas of the organization how the change impacts them. This is conducted through a detailed business impact analysis in the platform and is facilitated by being able to tag regulatory areas/domains to respective businesses and products. The overall system needs to be able to keep track of changes by assessing their impact, and triggering preventive and corrective actions. Furthermore, the solution should ensure that stakeholders and owners are informed, tasks related to actions are assigned, and due dates for the completion of actions/tasks are defined. Similarly, when regulations are removed, repealed or deactivated, the solution assesses the impact of the change, and sets up the appropriate responsive actions.
  • Mapping regulations to risks, policies, controls and more. A critical component to evaluate is the solution’s ability to link regulations to internal policies, risks, controls, training, reports, assessments, and processes. The ability to map to business lines, products, and geographies allows companies to manage a risk-based approach to regulatory compliance. The workflow, defined above, automatically alerts relevant stakeholders for necessary action and process changes. It also supports electronic sign-offs at departmental and functional levels that roll up for executive certifications.
  • Ease of use. Regulatory experts are not typically technical experts. The platform managing risk and regulatory change has to be easy to use and should support and enforce the business process. Tasks and information presented to the user should be relevant to their specific role and assignments.
  • Audit trail and accountability. It is absolutely necessary that the regulatory change management solution have a full audit trail to see who was assigned a task, what they did, what was noted and if notes were updated, and be able to track what was changed. This enables the organization to provide full accountability and insight into whom, how, and when regulations were reviewed, measure the impact on the organization, and record what actions were recommended or taken.
  • Reporting capabilities. The solution is to provide full reporting and dashboard capabilities to see what changes have been monitored, who is assigned what tasks, which items are overdue, what the most significant risk changes impacting the organization are and more. Additionally, by linking regulatory requirements to the various other aspects of the platform including risks, policies, controls and more, the reporting should provide an aggregate view of a regulatory requirement across multiple organization units and business processes.
  • Flexibility and configuration. No two organizations are identical in their processes, risk taxonomy, applicable regulations, structure, and responsibilities. The information collected may vary from organization to organization as well as the process, workflow, and tasks. The system must be fully configurable and flexible to model the specific organization’s risk and regulatory intelligence process.
Posted on 3 Comments

Defining a Regulatory Change Management Process

This is part 3 on the topic of regulatory change management.  In the previous posts we explored the pressure organizations are under in context of regulatory change, in this post we look at what elements are needed in an efficient, effective, and agile regulatory change management process.
processOrganizations are struggling with regulatory change and seeking to integrate technology with actionable and relevant regulatory change content to support consistent regulatory change processes. A dynamic business environment requires a process to actively manage regulatory change and fluctuating risks impacting the organization. The old paradigm of uncoordinated regulatory change management is a disaster given the volume of regulatory information, the pace of change, and the broader operational impact on today’s risk environment.

Elements of a Regulatory Change Management Process

Regulatory change management requires a process to gather information, weed out irrelevant information, route critical information to SMEs to analyze, track accountability, and determine potential impact on the organization. The goal should be a regulatory change management strategy that monitors change, alerts the organization to risk conditions, and enables accountability and collaboration around changes impacting the firm. This requires a common process to deliver real-time accountability and transparency across regulatory areas with a common system of record to monitor regulatory change, measure impact, and implements appropriate risk, policy, training, and control updates. To achieve this financial services organizations must develop a process for collaboration, accountability, and integration between regulatory intelligence content providers within a GRC information and technology architecture. A well defined regulatory change management processes includes:
  • Regulatory taxonomy and repository. The foundation of regulatory change management is a regulatory taxonomy and repository. The regulatory taxonomy is a hierarchical catalog/index of regulatory areas that impact the organization. Regulations are broken into categories to logically group related areas (e.g., employment and labor, anticorruption, privacy, anti-money laundering (AML), fraud).  Integrated with this taxonomy is a repository of the regulations indexed into the taxonomy. One regulation may have multiple links into the taxonomy at different areas. The taxonomy and repository maps into the following elements:
    • Regulatory bodies (e.g., lawmakers, central banks, government bodies, regulators, self-regulatory organizations (SROs), exchanges, clearers, industry associations, trade bodies)
    • Document types (e.g., laws, regulations, rules, guidance, releases)
    • Sources (e.g., websites, RSS feeds, newsletters, etc.)
    • Attributes needed for classification, filtering, and reporting (e.g., business process, jurisdiction/geography, related regulations, regulator, status of change, relevant dates, consequences)
    • Rules & regulatory events
  • Regulatory roles and responsibilities. Success in regulatory change management requires accountability—making sure the right information gets to the right person that has the knowledge of the regulation and its impact on the organization. This requires the identification of SMEs for each regulatory category defined in the taxonomy. This can be subdivided into SMEs with particular expertise in subcategories or specific jurisdictions, or who perform specific actions as part of a series of changes to address change requirements.
  • Regulatory content feeds. To support the process of regulatory change management, the financial services organization should identify the best sources of intelligence on regulatory developments and changes. Content feeds can come directly from the regulators as well as law firms, consultancies, newsletters, blogs by experts, and content aggregators. The best content includes the regulation itself, summary of the change, impact on typical financial services organizations, and recommendations on response with suggested actions for response. The range of regulatory change content should span new regulations, amended regulations, new legislation, regulatory guidance, news and circulars, comment letters, enforcement actions, feedback statements, and regulator speeches.
  • Standard business impact analysis methodology. To maintain consistency in evaluating regulatory change, financial services organizations should have a standardized impact analysis process that measures impact of the change on the organization to determine if action is needed and prioritize action items and resources. This includes identifying related policies, controls, procedures, training, tests, assessments, and reporting that need to be reviewed and potentially revised in the context of the change. The analysis may indicate a response to simply note that the change has no impact and the organizational controls and policies are sufficient, or it may indicate that a significant policy, training, and compliance-monitoring program must be put in place.
  • Workflow and task management. The backbone of the regulatory change management process is a system of structured accountability to intake regulatory changes from content feeds and route them to the right subject matter expert for review and analysis. This is extended by getting others involved in review and response and requires some standardized workflow and task management with escalation capabilities when items are past due. The process needs to track accountability on who is assigned what tasks; establish priorities; and determine appropriate course of action.
  • Metrics, dashboarding & reporting. To govern and report on the regulatory change management process the organization needs an ability to monitor metrics and report on the process to determine process adherence, risk/performance indicators, and issues. This should provide the organization a quick view into what regulations have changed, which individuals in the organization are responsible for triage and/or impact analysis, the state of review of change, who is accountable, and overall risk impact on the organization.
Types-of-Metrics-&-Examples

Value and Benefits of a Regulatory Change Process

When organizations develop a regulatory change process they expect to be:
  • Effective. They seek to have a greater understanding of changing regulatory requirements and their impact on the organization. To enable the organization to be proactive in gathering, organizing, assessing, prioritizing, communicating, addressing and monitoring the regulatory change. This allows the organization to demonstrate evidence of good compliance practices.
  • Efficient. To allow the organization to optimize human and financial capital resources to consistently address regulatory change and enable sustainable management of resources as the business and regulatory landscape grows.
  • Agile. Competitively enable a dynamic and changing environment as an advantage over competitors that are handicapped by the same change.  This requires the organization to understand how the regulatory environment effects the organization and its strategy and how to adapt quickly and be responsive to new developments before competitors are.
The full paper on this topic in the context of financial services can be found here.